If a user wants to have key material in a secure device to have different cryptographic periods, managing the cryptographic periods can be a challenge. A cryptographic period is defined as the period of time during which key material is valid; key material is used to encrypt and/or decrypt information.
Based on the user's security policy, the user determines how long he wants to use the key material before changing it. Depending on the operations the user is involved with, he may want to have the key material he is using change at different intervals. Changing key material at different interval requires the user to manage multiple cryptographic periods. For example, a user may have key material that needs to change once a month and other key material that needs to change once every six months.
The APCO over-the-air-rekeying (“OTAR”) standard defines the ability to use multiple cryptographic groups (a collection of keysets, where a keyset in a group of key material that is valid for the same cryptographic period) to manage multiple cryptographic periods. Multiple cryptographic periods could be obtained by placing key material of the same cryptographic period into the same cryptographic group, wherein the key material is managed using storage location numbers (“SLN”; also known as common key references). The standard allows sixteen different cryptographic groups to be defined, and thus a maximum of sixteen different cryptographic periods could be managed. This solution requires more than two keysets, as keysets must be unique between cryptographic groups.
In existing conventional OTAR two-way radio systems, one cryptographic group and two keysets are used and supported by the APCO OTAR protocol standard. Thus, only one cryptographic period is supported.
Implementing multiple cryptographic groups allows for multiple cryptographic periods; however, managing multiple cryptographic groups and keysets can be confusing and complex. Managing one cryptographic group and two keysets has proven to be a challenge in existing conventional OTAR two-way radio systems. Multiple cryptographic groups also introduce the potential for interoperability issues such as coordinating the SLNs that are used for interoperability and the cryptographic period of those SLNs. Adding a new SLN to an existing system may not be straightforward either. For example, if the user wants to add a SLN, they may not be able to add the next one in their list of SLNs; first the user needs to determine the cryptographic period for the SLN, find the cryptographic group that has this cryptographic period or create a new one, and get a SLN from that cryptographic group.
Thus, there exists a need for a solution that simplifies key management and allows the user to assign a cryptographic period to each SLN in a single cryptographic group without being limited by or coordinating with the existing SLNs in the system.